Tokenization helps ShopNBC cut its PCI-compliance costs in half

By Zak StamborManaging Editor

The retailer now stores codes that can’t be used to make purchases.

TV and Internet retailer ShopNBC.com last year added tokenization, a technology that changes consumers’ payment card information into randomized codes, to its payment security strategy to make it easier for it to comply with Payment Card Industry Data Security Standards—a set of rules created by payment card networks to protect cardholder data.

The retailer had kept access to encrypted credit card data in-house. And that required a large number of servers that had to be maintained and PCI-compliant, says Joan Radtke, senior director of credit at ShopNBC, No. 91 in the Internet Retailer Top 500 Guide.

The retailer wanted to use tokenization to add another layer of payment security, but doing so is a large project that would require a lot of manpower. So the retailer decided to outsource the job to payment processor Litle & Co.

Since the retailer implemented tokenization in last year, ShopNBC’s servers don’t receive a real credit card number. Instead, when a customer enters his card data, Litle & Co. receives the payment information, stores and processes the payment card information and creates a token assigned to that card that it then sends to ShopNBC. The token effectively substitutes payment card information with a code that is valueless if ShopNBC’s systems are compromised.

Radtke says that it was important to move sensitive payment card information off ShopNBC’s storage systems. The move reduced the number of ShopNBC servers that had to be PCI-compliant she says. And it has helped cut its PCI-compliance costs in half.